================================================================== BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0xad3/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:666 Read of size 4 at addr ffff8881c599c0dc by task systemd-udevd/3370 CPU: 0 PID: 3370 Comm: systemd-udevd Not tainted 5.7.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:382 __kasan_report.cold+0x37/0x92 mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:580 [inline] ath9k_hif_usb_rx_cb+0xad3/0xf90 drivers/net/wireless/ath/ath9k/hif_usb.c:666 __usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713 dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405 expire_timers kernel/time/timer.c:1450 [inline] __run_timers kernel/time/timer.c:1774 [inline] __run_timers kernel/time/timer.c:1741 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1787 __do_softirq+0x21e/0x9aa kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1140 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:207 [inline] RIP: 0010:test_bit include/asm-generic/bitops/instrumented-non-atomic.h:111 [inline] RIP: 0010:PageUptodate include/linux/page-flags.h:512 [inline] RIP: 0010:filemap_map_pages+0x4f3/0xff0 mm/filemap.c:2618 Code: 07 00 00 e8 cf 79 ef ff be 08 00 00 00 4c 89 e7 e8 72 c0 18 00 4c 89 e0 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 08 00 <0f> 85 b6 0a 00 00 49 8b 1c 24 31 ff 48 c1 eb 02 83 e3 01 89 de e8 RSP: 0000:ffff8881d89afbf0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 1ffffd4000ed23c0 RBX: ffffea0007691dc8 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffea0007691e00 RBP: ffffea0007691e34 R08: ffff8881c5f46300 R09: fffff94000ed23c1 R10: ffffea0007691e07 R11: fffff94000ed23c0 R12: ffffea0007691e00 R13: 0000000000000000 R14: 0000000000000035 R15: ffffea0007691e00 do_fault_around mm/memory.c:3807 [inline] do_read_fault mm/memory.c:3841 [inline] do_fault mm/memory.c:3975 [inline] handle_pte_fault mm/memory.c:4215 [inline] __handle_mm_fault+0x1f99/0x2da0 mm/memory.c:4345 handle_mm_fault+0x2ec/0x8d0 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1464 [inline] do_page_fault+0x51e/0x127d arch/x86/mm/fault.c:1535 page_fault+0x34/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0033:0x7f36392ff640 Code: Bad RIP value. RSP: 002b:00007fffd268e8c8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000557e7a6fd710 RCX: 00007f36398852f0 RDX: 0000000000000001 RSI: 00007f3639881270 RDI: 0000557e79f48384 RBP: 0000000000000000 R08: 00007f363a5328c0 R09: 00007f3639881270 R10: 00007f363a5328c0 R11: 0000000000000206 R12: 0000557e7a6fc010 R13: 0000557e7a700ea0 R14: 0000557e7a6fc010 R15: 0000557e7a6fc028 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8881c599c000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 220 bytes inside of 1024-byte region [ffff8881c599c000, ffff8881c599c400) The buggy address belongs to the page: page:ffffea0007166600 refcount:1 mapcount:0 mapping:0000000022e6a05a index:0x0 head:ffffea0007166600 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head) raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da002280 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881c599bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c599c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881c599c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881c599c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c599c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================